Let's Encrypt

Jed Cunningham

Problem

Browser trusted certs cost $$

Let's Encrypt CA

  • Non-profit
  • Wants to increase adoption of HTTPS
  • Free, 90 day certs
    • Encourages automation for renewal
    • Less bad if key gets lost/stolen

stats

Let's Encrypt Stats

ACME Clients

Full list

ACME spec

Automatic Certificate Management Environment (ACME)

  • Domain Validation (dns record or http resource)
  • Cert issuance/revocation

certbot


$ sudo apt-get install certbot -t jessie-backports
$ sudo certbot certonly --standalone --staging -d example.com

# /etc/letsencrypt/live/example.com/fullchain.pem
          

nginx


# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl on;
ssl_certificate         /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers             HIGH:!aNULL:!MD5;
          

Check our work

Qualys SSL Labs

Renewal


certbot renew
          

More automatic

Will even configure your webserver!

  • Apache
  • nginx

Behind firewall

  • split dns, copy cert to internal server
  • use the dns challenge with certbot

certbot certonly --manual
          

Note: Let's Encrypt has a public list of every cert it issued